# Local Endpoints
**Audience:** IT admins who run management tasks against the agent (health checks, plugin control, jobs, settings) from scripts or tools. ### Overview Keeper Privilege Manager exposes an **HTTP/HTTPS API** on **localhost only** (default ports 6888 HTTP, 6889 HTTPS). Use it for health checks, plugin start/stop/restart, job listing and trigger, settings and plugin settings, registration, and other management operations. All endpoints are **local** to the machine; they are not intended to be exposed to the network. **Base URLs:** * **HTTP:** `http://127.0.0.1:6888` * `HTTP: automatically redirects to HTTPS:` * **HTTPS:** `https://127.0.0.1:6889` * Because this communication occurs entirely on the local machine, KEPM automatically manages the certificate lifecycle and validation. The certificate is kept in memory (not written to disk), is rotated internally, and a new certificate is generated each time the service starts. **Authorization levels:** * **Public** — No auth (health, root, system status). * **Plugin** — Caller must be a process launched by Keeper Privilege Manager with valid certificate (e.g. plugins, jobs). * **Elevated Admin** — Caller must have admin privileges (or be a trusted system process) and valid certificate. Many management operations require **Plugin** or **Admin**. Scripts run manually often use **Admin** (e.g. from an elevated PowerShell or as root). For certificate-based calls, the product may provide a client certificate for script use; see your deployment docs. ## Public Endpoints (no auth) Use these for monitoring and basic checks.
MethodPathDescription
GET/healthHealth check. Returns status (e.g. healthy), timestamp, version.
GET/Root; service name, status, version.
GET/api/system/statusSystem status: running, plugin count, job count (total/enabled).
#### **Examples:** ``` curl -k https://localhost:6889/health curl -k https://localhost:6889/ curl -k https://localhost:6889/api/system/status ``` ## Plugin Management
MethodPathAuthDescription
GET/api/pluginsPluginList all plugins (id, name, status, processId, lastStartTime).
POST/api/plugins/{name}/startAdminStart a plugin.
POST/api/plugins/{name}/stopAdminStop a plugin.
POST/api/plugins/{name}/restartAdminRestart a plugin.
Replace `{name}` with the plugin id (e.g. KeeperPolicy, KeeperAPI). Use these to recover from a stuck plugin or after changing plugin config. ## Job Management
MethodPathAuthDescription
GET/api/JobsPluginList all registered jobs (id, name, enabled, schedule, last run).
GET/api/Jobs/{jobId}PluginGet one job by id.
POST/api/JobsAdminCreate a job (JSON body).
PUT/api/Jobs/{jobId}AdminUpdate a job.
DELETE/api/Jobs/{jobId}AdminDelete a job.
POST/api/Jobs/{jobId}/runAdminRun job immediately.
POST/api/Jobs/{jobId}/triggerAdminTrigger job with event context (JSON body).
POST/api/Jobs/validateAdminValidate job JSON (POST body = job JSON).
Use **run** or **trigger** for on-demand execution; use **validate** before creating or updating jobs. ## Settings ### Plugin Settings
MethodPathAuthDescription
GET/api/PluginSettings/{pluginName}PluginGet all settings for a plugin.
GET/api/PluginSettings/{pluginName}/{settingName}PluginGet one plugin setting.
PUT/api/PluginSettings/{pluginName}/{settingName}AdminUpdate one plugin setting (body = value).
POST/api/PluginSettings/revert-allAdminRe-import all plugin settings from their JSON files on disk.
POST/api/PluginSettings/{pluginName}/revertAdminRe-import one plugin’s settings from its JSON file.
Use **revert** or **revert-all** after editing plugin JSON files or after pushing config via policy so the in-memory settings match disk. ### Keeper Registration
MethodPathAuthDescription
GET/api/Keeper/registrationPluginGet agent registration status (AgentUID, IsRegistered, Hostname, etc.).
POST/api/Keeper/registerAdmin (or public in some deployments)Register agent; query param token=... (and optional force=true).
POST/api/Keeper/unregisterAdminUnregister agent.
#### **Example (register):** ``` curl -X POST "https://localhost:6889/api/Keeper/register?token=YOUR_TOKEN" -k ``` ## Other Endpoint Groups The API also includes endpoints for: * **Audit** — GET/POST audit events. * **Notifications** — Send notifications. * **File access** — Request, grant, revoke file access; history. * **User session** — Launch process in user session, validate launch. * **Ephemeral** — Launch ephemeral account, list/delete accounts, cleanup. * **Controls** — Control requests, approvals, launch approved request. * **Credentials** — Risk assessment credentials (store/get/delete). * **Path variables** — Create/update/delete custom path variables (if enabled). Exact paths and request/response shapes follow the product’s API; the tables above cover the most common **management** tasks. For scripting, use **HTTPS**, handle **403** (auth) and **404** (not found), and use Admin or the appropriate certificate where required. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.keeper.io/keeperpam/endpoint-privilege-manager/reference/local-endpoints.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.